Wed, 5 Dec 2012

Last month saw the inaugural SensePost hackathon happen in our new offices in Brooklyn, South Africa. It was the first time the entire company would be in the same room, let alone the same continent, together and away from the pressures of daily work constraints. The idea was simple: weeks before the date, we sent out emails to everyone in the company (not just the tech teams but everyone) to think about ideas, tools, approaches or new business lines that they felt would make us even better at what we did.

Hackathons are used by many tech companies to give their employees breathing space to work on new ideas. Google and Facebook are big fans and Facebook's Like button was conceived as part of a hackathon. Getting everyone together at the same time was no mean feat, the term 'herding cats' springs to mind but on the week of 12th of November, all SensePost'rs were in our new offices and ready to break, build and develop.

Prior to the event, we asked everyone to think about what they wanted to work on. As mentioned above, there was no specific guideline as to what anyone could come up with, as you can't force creativity. After a brainstorming session, the following ideas were given and solutions made during the hackathon period*:

Location whereabouts functionality (who is in the office, who's at a client etc.)

Cool links functionality

SensePost short URL functionality

Ability to call $username via Gtalk/Skype

3. SensePost SMS Gateway App

An application that allows us to utilise SMS from a company-wide perspective, including:

Ability to receive OTP passwords to a central number

Ability to send passwords to clients via web interface (for sales)

Ability to send HackRack passwords to clients via web interface

Rogan decided to use kannel to interface with a GSM dongle in an Ubuntu server. This exposed a web API. Glenn then wrote a Python script to monitor for new mail
arriving to a SensePost email address, which then dispatched SMSs via kannel.

4. Magstripe Hacking

Having moved into our new fancy offices, we decided to look at the current implementation of magstripe used to work out if we could read the data, clone the data and create free parking for us (at the same time, potentially looking for flaws in the magstripe implementation). The magstripes on the parking tickets were very unsual. Between the reader in the office, and Andrew Mohawk's more advanced ones, we could not get a consistent read. It is possible that the cards use an unusual arrangement of tracks. Typically there are 3 horizontal tracks at predefined heights. If the tracks are at unusual heights we may have been getting interference between said tracks. Andrew has tried to dissect one of the cards, but no luck yet.

Watch this space.
5. AV VirusTotal Project

Rather than submitting our payloads to VirusTotal (who then inform the vendors), we will create our own version that uses all vendors, to determine if our custom payloads could be detected.

6. SensePost Green Project

A project to make our business greener in approach and ideas. How responsibly were we using resources? What was our consumption of electricity and water like and could it be made better?

With teams created and everyone clear on what they had to do, 48-hours were given to create the above ideas. Food, drink, hardware and toys were provided. Vlad brought some amazing Russian Vodka and energy drinks were supplied.

Whilst the older farts faded quickly (I'll put my hand up, 1am and I was broken), the younger crowd went through the night and into the next morning. From simple ideas at first, fully-fledged solutions were designed and then developed in a short space of time. The idea was that once the hackathon 48-hour period was over, everyone would present the results and we'd head outside to our balcony to have a traditional SA braai (barbecue)

The cool thing about the hackathon was that some of the top ideas came from traditionally non-technical people, such as our finance wizard who came up with the idea of the SensePost world app. This was the outcome that we wanted: to prove that you don't need to be a heavy tech-orientated person to come up with meaningful projects or ideas.

Overall the 2012 Hackathon was a brilliant time had. Some amazing ideas have come to light, ones that will see us pushing offensive approaches and also ones that will have an impact on the way we work at SensePost.

For those thinking about running an internal hackathon, I'd say go for it. Giving people the space to work on ideas with likeminded colleagues will only bring benefits.

*There were other projects, but they won't see the light of day as of yet, so will remain confidential until the time is right.

Wed, 9 Mar 2011

In the movie "The American President", the statement is made that America has advanced citizenship and that "you gotta want it bad, because it will put up a fight". The same can be said for vulnerability management. It is never a completed exercise or a process where the status quo can be maintained quite easily, especially in a distributed enterprise environment. The reason: change.

SensePost recognised early on that just having an accurate vulnerability scanner isn't good enough to ensure continuous and less arduous vulnerability management. There needs to be workflow and efficiency build into such a scanner. Hence our HackRack and now lately, our BroadView managed vulnerability scanning offerings.

But, no matter how good a scanner is or how well the workflow has been designed, there is still a very large amount of manual analysis required.

For example:

In BroadView, when viewing scan results, by default the Medium, High and Critical findings are shown. Fab and groovy. But, should one just stop there? The Low and Info findings can be as interesting as the rest. For example, a client of ours that usually has a handle on things, had an informational finding about virtual directories being guessable on one of their web servers: the directories "/testing" and "/test" were identified. This "/testing" directory turned out to contain the beta version of a new e-commerce web application and even though reasonable security was in place, a blind SQL injection test showed us they were developing on live data. Just like that, an informational finding became a critical finding. If we had been focused on CVSS scores and risk impact only, this finding would have been flying under the radar.

What we saw on BroadView:

Vulnerability management is not easy. It will put up a fight; be that in the form of stubborn sysadmins not closing the holes or developers taking chances with release candidates and beta products. The vulnerability manager has to be on his/her toes and perform constant scanning and prodding. Vulnerability scanner results should never be taken at face value, and the associations between findings should be understood.

It is wise to keep in mind that vulnerability management is cyclic and repetitive. And as Dr Ruth always used to say: "Once, is not enough". You cannot scan once, find nothing, and sit back and relax. You may just miss your /testing directory.

For our BroadView customers we have added a couple of new blizzards to enhance the process to monitor results.

Missing Microsoft Patches (Operating System category)

Guessable Virtual Directories (Web Application category)

Open jBoss Consoles (Web Application category)

Blizzards are widgets (iGoogle style) of information queried from the vulnerability database in BroadView that provides users with a looking glass view of their environment. Under normal circumstances one would have had to go grep or search for very specific vulnerability IDs. With the blizzards, that cumbersome task has been removed.

The Missing Microsoft Patches blizzard combines all the possible patches that could be missing and this is especially necessary where Internet facing targets are scanned. Murphy's Law usually applies where patches and Internet facing devices are concerned - that one patch that can result in pwnage, is normally the one missing.

The output from the Missing Microsoft Patches blizzard would typically consist of an IP:Value output

The jBoss Console blizzard was created after we realised it is becoming more and more prevalent for consoles to be found open during assessments and vulnerability scanning.

Having access to world class pen-testers really does give the vulnerability management team a good insight into which vulnerabilities can actually lead to system compromise.

Thu, 3 Jun 2010

Most of our clients that make use of our vulnerability management service, HackRack, manage a large and usually interactive web application environment, that makes use of SSL. HackRack would then often report on findings such as weak cyphers in use (critical if the client has to adhere to PCI DSS), mismatching cert names and domain names, and then expired certs.

Now, this is easy to check and re-check when you have a couple of single hosts and openssl foo. But, a couple of hundred sites and things get interesting and time consuming.

To enable our own guys and other security minded folk, we build a Java based SSL certificate miner that will show you the "Issue By" and "Issued To" information plus whether the cert is strong and have or will expire soon.

Its nice and clean, and does the job in reasonable time. Future checks will include SSL version checking - again something that is required by the PCI DSS to be up to date and reported. Monitor our blog for future releases.

Tue, 6 Apr 2010

Following on from Evert's posting about the new BroadView v4, I'd like to showcase a specific aspect of BV that we've found useful, namely Attributes. These are small pieces of data collected and maintained for each host scanned by BV including somewhat mundane bits of info like IP address and OS but, they also include some really tasty morsels about remote hosts that are scanned. Attributes are collected on a per-scan-per-host basis, and are populated by each test that runs during the scan. Since attribute population is dependent on the selected tests, the set of Attributes available to you would vary according to you configuration.

Consider the trivial attribute Network.TCP.HTTP.Banner; this doesn't require credentials to acquire and is stored by a test that detects webservers. On the other hand, the test that stores Users.Microsoft.Windows.Group.SystemOperators.Members would require domain credentials in order to pull the needed info. This is common inside of organisations, where BV is primarily intended.

To help me explain the power of Attributes a little easier, here are a few scenarios:

Your IT manager wants to know which Windows machines are missing the new MS10-018 patch. Instead of trawling through all the latest scans looking for hosts that are affected , you simply:

Login to BroadView

Click Attributes

Select Patches.Microsoft.Windows.Missing

Click MS10-018

Download CSV

Done

Perhaps you have rolled-out a new WSUS system and need to find all the Windows hosts still configured with the old WSUS server name. Again:

Login to BroadView

Attributes

Config.Microsoft.Windows.WSUS.Server

Click the name of the old WSUS server

Download CSV

Done

Or you are trying to find all the hosts with a specific piece of software installed (e.g. uTorrent). Click Attributes >> Software.Installed.Microsoft.Windows >> uTorrent >> Download CSV.

As you can see the power and extensibility of BroadView Attributes is (according to opinions from the office) Simply Astonishing(tm). We are currently working with our Assessment team to include Attributes that would allow them to very quickly pull a list of all "low hanging fruit" vulnerabilities when performing an internal Pen Test.

Currently we collect just over 50 attributes, but are adding new ones as we either think of or clients request more. The full list is:

Tue, 30 Mar 2010

Ever since Ron Gula's RiskyBusiness talk #142 about their Nessus philosophy, I decided to come out of the closet and share with our readers the work we do in the vulnerability management field. [Ed: If you don't listen to Risky Business then, as we say in South Africa, eish.] Ron explained that with Nessus they aim to give users a tool that can be used for monitoring and auditing - not enforcing. The "sed quis custodiet ipsos custodes" mantra comes to mind. For 9 years now we have been building two vulnerability management solutions named HackRack (for hosted, external scanning) and BroadView (for internal scanning) and it was especially HackRack that has claimed the limelight. The runt of the litter has always been BroadView, but alas (luckily?), no more.

We decided a while ago to invest our new ideas and technology in BroadView, and when that matured and stabilized, use the new BroadView as a base for new HackRack and HackRack PCI services.

And that process is nicely on track.

I mean, just look at this interface. The Blizzards page will allow BV users to get up to date stats about their environment but also allow them to quickly grasp the actual state of affairs on their network. Blizzards are visual sql queries that display averaged or calculated results of vulnerability scans as well as collected attributes. In the example below, one can quickly appreciate the impact of adding a batch of new machines to a scan, and the resulting impact on the New Issue count blizzard.

We don't see BV as just another vulnerability scanner. Its a data collector of note. It does not just scan,it also collects. From every networked device that is probed, attributes are collected that range from regular basic info such as IP addresses and operating system values, to machines without SMS agents and WebDAV directories on HTTP services.

In the weeks and months to come we will share with you the trial and tribulations to eventually bring to light BroadView v4, Final Release. We will share with you our frustration and jubilations in successfully executing intensity scans on virtualised hardware, how to mine for installed software on OS X and appreciating the amazing reduction in bandwidth utilisation by switching from SOAP to Thrift.

Well, I am off to go watch one our guys participate in a televised panel discussion - and at the same time figuring out if there are any advantages in being able to interface BroadView with our Saeco coffee machine ...